TRACK: A Novel Approach for Defending Against Distributed Denial-of-Service Attacks

This paper presents a novel countermeasure against Distributed Denial-of-Service (DDoS) attacks that we call the rouTer poRt mArking and paCKet filtering (TRACK), which includes the functions of both IP traceback and packet filtering. TRACK is a comprehensive solution that is composed of two components: a router port marking module and a packet filtering module. The former is a novel packet marking scheme for IP traceback and the latter is a novel packet filtering scheme that utilizes the information gathered from the former component. The router port marking scheme marks packets by probabilistically writing a router interface’s port number, a locally unique 6-digit identifier, to the packets it transmits. After collecting the packets marked by each router in an attacking path, a victim machine can use the information contained in those packets to trace the attack back to its source (i.e., solve the “IP traceback” problem). In the packet filtering component, the information contained in the same packets are used to filter the malicious packets at the upstream routers (i.e., routers located in the direction towards the attackers), thus effectively mitigating attacks. Because very little space is required to mark a port number, TRACK allows us to include attack signature information along with the port number within a single packet’s IP header. The resulting advantage is three fold: (1) a significantly less number of packets need to be collected to traceback the attack source compared to previous IP traceback schemes, (2) very little computation overhead is required in the traceback process, and (3) scalability: a large number of attackers (i.e., zombies) can be traced back efficiently. Because TRACK uses the router interface instead of the entire router as the “atomic unit” for IP traceback and packet filtering, it can accomplish these tasks with much finer granularity, which helps to lower the false positives. In the paper, we also show that TRACK supports gradual deployment . Index terms – Distributed Denial-of-Service, IP Traceback, Packet Filtering, Network Security.